FirewallD in a nutshell 101

With FirewallD, some Linux distributions introduce a new default firewall differing heavily from previous interfaces. This post focusses the basic concept and some practical examples.

A major difference is that the firewall now supports changes in realtime without dropping active connections. FirewallD integrates seamlessly into D-Bus which makes it easier for applications and services to retrieve and control firewall configurations. In additional to that, there are plenty of pre-configured zones and services which enable faster configurations.

Using the –timeout parameter it is possible to limit firewall rules from a time perspective. As an example, it is possible to create a rule that enables a service for an installation temporarily. A feature named lockdown mode can be used in order only to permit some applications to control the firewall (using D-Bus). In addition to predecessors, FirewallD integrates into Puppet and also offers a XML export for sharing firewall configurations (to be honest, I’d prefer JSON or YAML).

FirewallD is available for plenty of platforms, for example:

RHEL 7 and distributions based on it (CentOS, Scientific Linux)

Fedora 18 and newer

SUSE Linux Enterprise Server 15

optionally for Ubuntu 14.04, Debian 8, openSUSE 42.2 and newer

Basically, there is also a graphical configuration utility named firewall-config, but I will focus on the command-line utility firewall-cmd in this post.

Zones

From a FirewallD perspective, a zone is a level which defines permitted services and ports and other behaviors (such as default actions for forbidden access). There are plenty of pre-configured zones that can often be used without customizing it.

Some of the available zones have comparable behaviors – see the following comparison:

Zone

Default action

Characteristics

Enabled services

block

REJECT

Only answers of outgoing requests allowed

no

drop

DROP

Only outgoing traffic allowed

dmz

keine

Only enabled exceptions allowed

ssh

external

public

ssh, dhcpv6-client

home

ssh, mdns, samba-client, dhcpv6-client

internal

work

ssh, dhcpv6-client

trusted

ACCEPT

All traffic allowed

all

From a kernel perspective, there is huge difference between REJECT and DROP. When using REJECT, the receiver will be informed that the port is not accessible. DROP on the other hand simply results in a timeout and is used in public networks (e.g. DMZ) to impede port scanning.

Enabled zones can be listed like that:

# firewall-cmd --get-active-zones
public
interfaces: ens33

Alternatively, you can also list the zone of a particular network interface:

Runtime and Permanent

Basically, FirewallD supports two modes: runtime and permanent. When starting the firewall, the permanent configuration is retrieved from the file system. Pre-defined templates can be found in the /usr/lib/firewalld folder – customized templates and configurations are stored under /etc/firewalld. By default, every firewall change is made in runtime made. To change this, use the –permanent parameter.

In other words, if you plan to change the configuration in runtime and permanant mode, you will need to execute the command twice:

Ports

Beside services, also particular ports can be opened – for example like that:

# firewall-cmd --zone=home --add-port=6667/tcp

After changing the configuration, ports can be listed with the –list-ports parameter:

# firewall-cmd --zone=home --list-ports
6667/tcp

Again, here is also an opposite parameter for removing the port:

# firewall-cmd --zone=home --remove-port=6667/tcp --permanent

Conclusion

Using Enterprise Linux, managing firewall rules is way easier with FirewallD than it has been with system-config-firewall-tui. Another advantage is the possibility to change firewall rules without dropping active connections. Templates can be distributed in a more readable way – anyhow, I’m still looking forward to YAML and JSON support.

The secod part of this post series will focus on customized services, zones and NIC mappings.